Solved: How to use the C# SDK to return a large search res...

pateld · ‎09-14-2016

Hi

I have a "Saved Report" (Named- GetIP), which finds unique IP passed through firewall for th Last 30 days. It reports data approximately 5,000,000 rows.

Search is like this:

index=myIPIndex  | stats max(_time) as LastSeen,Count by foundIP | convert ctime(LastSeen) | sort -LastSeen

I am using C# SDK 2.0. Can someone provide working example to retrieve all 5,000,000 rows? I am getting only first 10,000 rows which is max row defined by Splunk.

Thanks

lguinn2 · ‎09-15-2016

For a start, don't use the sort command in your search. The sort command output is limited to 10,000 results; this is probably the source of your difficulties. See the sort documentation here.

Plus, if you want to sort 5 million values, do it outside of Splunk...

View solution in original post

lguinn2 · ‎09-15-2016

For a start, don't use the sort command in your search. The sort command output is limited to 10,000 results; this is probably the source of your difficulties. See the sort documentation here.

Plus, if you want to sort 5 million values, do it outside of Splunk...

pateld · ‎09-16-2016

I was "sort" command which has limit for 10000
thanks

How to use the C# SDK to return a large search result set (5,000,000 rows)?

Fueling your curiosity with new Splunk ILT and eLearning courses

Splunk AI Assistant for SPL 1.1.0 | Now Personalized to Your Environment for Greater ...

Unleash Unified Security and Observability with Splunk Cloud Platform